CyberWire Daily - Maximum severity vulnerability needs critical updates.
Episode Date: January 17, 2024Atlassian issues critical updates. CISA and the FBI warn of AndroxGh0st. A GPU vulnerability hits major manufacturers. A Foxconn subsidiary in Taiwan gets hacked. Australians suffer breached credit ca...rds through credential stuffing. A parade of horrible hackers and scammers. CISO accountability is highlighted at ShmooCon. Cybersecurity VC funding plummets. On the Learning Layer, N2K’s Executive Director of Product Innovation Sam Meisenberg lets us in on an A+ tutoring session. Don’t ask ChatGPT to handle your Amazon product listings. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On the Learning Layer with N2K’s Executive Director of Product Innovation Sam Meisenberg lets us in on an A+ tutoring session he held with Jaden Dicks. Selected Reading Atlassian’s Confluence Data Center and Server Affected by Critical RCE Vulnerability, CVE-2023-22527: Patch Now (SOCRadar) FBI, CISA warn of AndroxGh0st botnet for victim identification and exploitation (Security Affairs) A new vulnerability affecting Apple, AMD, and Qualcomm GPUs could expose AI data (TechSpot) Taiwan’s Foxconn subsidiary faces cyberattack (Taiwan News) 15,000 Aussies Affected After Binge, The Iconic Hacked (Pedestrian) Hackers post disturbing videos to online forum used by UC Irvine students (ABC7) Heartless scammers prey on hundreds of lost pet owners, demanding ransoms or else… (Bitdefender) As hacks worsen, SEC turns up the heat on CISOs (TechCrunch) Cybersecurity Startup Funding Hits 5-Year Low, Drops 50% From 2022 (Crunchbase) Amazon Is Selling Products With AI-Generated Names Like "I Cannot Fulfill This Request It Goes Against OpenAI Use Policy" (Futurism) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Atlassian issues critical updates.
CISA and the FBI warn of Androx ghost.
A GPU vulnerability hits major manufacturers.
A Foxconn subsidiary in Taiwan gets hacked.
Australians suffer breached credit cards through credential stuffing.
A parade of horrible hackers and scammers.
CISO accountability is highlighted at ShmooCon.
Cybersecurity VC funding plummets.
On the learning layer, N2K's Executive Director of Product Innovation, Sam Meisenberg, lets us in on an A-plus tutoring session.
And don't ask ChatGPT to handle your Amazon product listings.
It's Wednesday, January 17th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Hello, everyone. Thanks for joining us. It's great to have you with us.
Atlassian has issued a critical update advisory for its Confluence data center and server products to address a vulnerability which has been rated with the maximum severity of 10.0. The vulnerability is
characterized as a template injection issue and is present in older versions of Confluence data
center and server. It poses a significant risk of remote code execution by unauthenticated attackers
and impacts the confidentiality, integrity, and availability aspects of security.
impacts the confidentiality, integrity, and availability aspects of security.
No workarounds are available for this vulnerability, and Atlassian strongly recommends updating to the latest version to ensure protection, not only against this critical threat, but also against
other non-critical vulnerabilities mentioned in their January security bulletin. This vulnerability
is part of a series of security issues Atlassian
has been grappling with. In November of last year, CISA included a different confluence data center
and server vulnerability in its known exploited vulnerabilities catalog following a warning from
Atlassian's CISO. Subsequently, Atlassian addressed RCE vulnerabilities in Bamboo and Crowd data center and server,
and in December, CISA highlighted the necessity for rapid action against other critical vulnerabilities affecting various Atlassian products.
CISA and the FBI have issued a joint cybersecurity advisory warning about Androx Ghost Malware. This Python-based malware was first identified
by cybersecurity firm Lacework in December 2022 and is being used to establish a botnet for
identifying and exploiting victims in vulnerable networks. It targets files containing sensitive
information like credentials for high-profile applications. The advisory details the malware's
capabilities, including scanning for and exploiting exposed credentials, API vulnerabilities,
and deploying web shells. To aid in defense, the U.S. agencies are sharing known indicators of
compromise and tactics, techniques, and procedures associated with the threat actors deploying Androx Ghost.
The malware also has the functionality to generate keys for brute force attacks.
Tyler Sorensen, a cybersecurity researcher at Trail of Bits and UC Santa Cruz,
discovered a vulnerability affecting GPUs from Apple, AMD, Qualcomm, and Imagine Technologies. Named
leftover locals, the vulnerability allows attackers to steal data from GPU local memory.
It's especially dangerous for large language models and machine learning workloads,
which tend to process large amounts of sensitive data. The researchers demonstrated a proof of concept
showing that attackers could listen into another user's interactive LLM session across boundaries.
The vulnerability exposes previously unknown security risks in the ML development stack.
The affected companies have responded differently. Apple patched its A17 and M3 processors, but older devices like the M2
MacBook Air remain vulnerable. The iPhone 15 is not affected. AMD confirmed its processors are
impacted and is working on mitigation. Qualcomm released a patch in firmware 2.07 for some
devices. Other devices may still be vulnerable. Imagine Technologies released a fix
in its DDK release 23.3 in December of last year. In Taiwan, Fox Semicon Integrated Technology,
a Foxconn subsidiary and semiconductor equipment manufacturer, suffered a cyber attack on January
16. Hackers hijacked the company's website, demanding a ransom
and threatening to release 5 terabytes of client data.
Cyber attacks are common against Taiwan's listed companies,
but they usually handle these incidents privately.
This attack, however, is notable as it involved defacing the company's website
and a public ransom demand.
The hacker's method of attack remains undisclosed. as it involved defacing the company's website and a public ransom demand.
The hacker's method of attack remains undisclosed.
Around 15,000 people in Australia have had their credit card information compromised due to a credential stuffing scam targeting major brands in that country.
The scam uses stolen passwords to access users' other accounts on different websites,
uses stolen passwords to access users' other accounts on different websites, especially affecting customers who reuse login details and save their card information on these sites.
This event serves as a reminder of the importance of using unique passwords for different accounts
to enhance online security. Moving on to a pair of stories about horrible people.
Moving on to a pair of stories about horrible people.
Hackers recently targeted online forums used by students and teachers at UC Irvine in California.
They attacked Discord groups affiliated with UCI, exposing approximately 3,000 users to graphic videos showing human corpse desecration and animal mutilation. The content was so extreme that it reportedly caused physical distress among some students,
including instances of hospitalization due to excessive vomiting.
The cyber attack occurred on January 9th,
disrupting academic activities and causing significant distress.
These Discord servers are student-run and not officially overseen by UC
Irvine, according to a university spokesperson. The attackers apparently gained access through
a student's login information and demanded a ransom of $1,000. They claimed responsibility
for causing the deletion of one Discord club and boasted about the impact of their actions.
of one Discord club and boasted about the impact of their actions. Meanwhile, in the UK, hundreds of pet owners have been targeted by scammers demanding ransom for lost pets. BBC News reports
that these fraudsters scan online forums where owners post about their lost dogs and cats,
then falsely claim to have the pets, demanding large sums for their return.
The scam preys on the owner's desperation to reunite with their pets,
often using social engineering tactics to make their claims seem credible.
Local police are investigating this widespread scheme and have had some success.
One case involving a man in his 20s who was sentenced to three years and eight months in prison
for this sort of blackmail.
He demanded thousands of pounds,
sometimes threatening harm to the animals,
and was caught after phone evidence linked him to the crimes.
With over 200 victims identified across the UK,
the investigation continues to pursue others involved in these offenses.
The investigation continues to pursue others involved in these offenses.
Zach Whitaker from TechCrunch filed a report from the ShmooCon Hacker Conference in Washington, D.C.,
where cybersecurity experts discussed the growing risks and legal responsibilities in their field.
A key theme was the increased legal scrutiny and risks facing professionals,
especially in light of recent high-profile legal cases involving cybersecurity mishandlings, like those at Uber and SolarWinds. The conference also
highlighted the impact of the new SEC cyber reporting rules, which mandate companies to
report significant security incidents within four business days. This has led to a surge in data breach disclosures
and emphasizes the ongoing responsibility of companies to update these disclosures.
The heightened legal and public scrutiny is particularly affecting high-level cybersecurity
roles. The accountability placed on executives, especially chief information security officers,
has made some professionals cautious about taking
on these positions. Despite these challenges, experts like startup lawyer Elizabeth Wharton,
former SEC prosecutor Danette Edwards, and tech investor Cindy Gula advised maintaining
thorough documentation and careful communication. They emphasize the importance of transparency and the need to adapt
to the scrutinized environment. Moreover, the shift to remote work has complicated the task
of maintaining a trusting corporate culture while ensuring everything is properly documented and
communicated. The panel stressed the importance of continuing to engage with cybersecurity roles,
urging professionals to
adapt to these evolving challenges and maintaining a proactive stance in their communications
and documentation practices. Two years ago, cybersecurity venture funding was booming,
reaching over $23 billion. However, in 2023, the sector experienced a significant decline, with funding falling to around a third of that amount, the lowest since 2018.
According to Crunchbase, security companies raised $8.2 billion across 692 venture capital deals in 2023, compared to 16.3 billion and 941 deals in the previous year. The downturn was particularly
noticeable in the fourth quarter, which saw only $1.6 billion raised. Despite the drop,
some cyber startups still managed to secure substantial funding. Blue Voyant closed a
Series E of over $140 million. Dallas-based Island raised $100 million in a
Series C round, and Verkada secured a $100 billion investment. Ofer Schreiber of YL Ventures
attributes this decrease in funding to the after-effects of the 2021 surge in cybersecurity
investment, characterized by high valuations and substantial funding rounds.
He notes that poor decisions made during that period continue to affect the sector. Many firms
are still trying to grow into the large valuations they received when funding was more readily
available. Startups that raised money in 2021 are now facing the need for additional funding
or considering selling as they approach the end of their financial runway.
Schreiber observes that startups are now adopting a more responsible approach to laying their foundations,
considering current market conditions and investor appetite.
Despite the downturn, the demand for cybersecurity solutions remained strong.
Global conflicts and the rise of generative AI technologies have escalated cyber threats,
making cybersecurity a top concern for companies and governments.
Coming up after the break, on our learning layer,
N2K's Executive Director of Product Innovation, Sam Meisenberg,
lets us in on an A-plus tutoring session.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Sam Meisenberg is N2K's Executive Director of Product Innovation.
And in today's Learning Layer, he lets us in on an A-plus tutoring session.
Here's Sam.
Hello and welcome to Learning Layer.
In today's segment, you're going to be dropped into the middle of a tutoring session with Jaden Dix,
who is actually our Urban Alliance intern.
More on Urban Alliance at the end of the segment.
Jaden is studying for his A-plus exam from Comtia,
and we're going to do a practice question together.
Enjoy. I understand that you brought a question for us to deal that you're struggling with. So you want,
you want to maybe pull up that question or read it and we can do it together for sure.
Okay. So I love scenario-based
questions because they not only do they challenge me but they also give me like a real world example
of what to do because of course my goal is to actually work in it not just know a question
and answer it sure so let me do the um first question so it says this is from my one of my practice exams okay you work
for a data security firm your cloud development deployment must ensure that the company's data
is always available even in the events of a natural disaster which aspect of cloud computing
best addresses this need now there's the here's the four options they give us.
Okay, hang on.
I want to pause this there, though.
Before we get into the four options, though,
a very good sort of question attack strategy
is to think about and try to predict
what the right answer would be.
So instead of just rushing into the answer choices,
you want to think about what you just read.
I'm going to go word for word.
Okay.
Your cloud deployment must ensure that the company's data is always available,
even in the face of a natural disaster. So you can start racking your brain about, well,
what are the cloud deployments? What do I know about cloud security? And of course,
the other big thing to take from that second half of the sentence is they care about availability.
Well, they care about data.
They care about data availability, right? For example, if you frame things in the CIA framework,
right? Yeah. Confidentiality, integrity, and availability. They are asking about that last A.
That's the priority, availability, right? So the answer, for example, is not going to be
some deployment that prioritizes encryption.
That's not what they're going to look for.
We're looking for availability.
Well, encryption helps with confidentiality because it helps secure stuff.
Okay, secure.
Caching, for example, that might help with integrity because it makes sure our data doesn't change in unexpected ways or we're alerted to when it changes unexpected ways. Right. Okay. Okay. So we care about availability. So when I
read this question, I am singularly focused on that priority and everything else they're going
to hit me with is probably just a distraction. So I am going into the answer choice, hunting for a
right answer that somehow has to do with availability or supports availability.
So Jaden, I think the difference is instead of just diving to the answer choice and keep reading,
we are setting ourselves up for success a little bit by trying to, you know, like,
understand the question fully. Yeah, exactly. We are internalizing what we just said. We're
trying to predict the right answer. We're going to get trapped or tricked a little less easily by the test maker if we can sort of you know like like
understand the question pretty well makes sense all right so now we're ready for the answer choices
i'll try that on friday good good all right now ready for the answer choices you want to read a
connectivity okay what does connectivity mean connectivity is just is it on or not that's Now I'm ready for the answer choices. You want to read A. Connectivity. Okay.
What does connectivity mean?
Connectivity is just, is it on or not?
Yeah, that's pretty much what connectivity is.
Pretty much is it on or not?
Okay.
So I'm not sure how you feel about this, but I could see a world where connectivity is sort of related to availability, right? It's got to be on.
It's got to be, you know, working.
Yes, but in the question, they're talking're talking about one they're talking about security and two they're also talking about
in case of a natural disaster let's say your business got knocked down and let's say you're
multimillionaire that that the building is no problem cool but you have a whole bunch of
lost data now that's making you that money you're not gonna going to wonder, oh, is it connecting? That's stupid.
It's not connected. It's destroyed. But yeah, that's why connectivity is just not a good answer
to use. Okay. Okay, cool. So A is out. What does B say? Replication. What is replication?
Replication is just the same data, a copy. That's what I'm trying to say. It's a copy of the same
data. Yeah. So based on what we talked about and how you just define replication, what do you think about that as an answer choice?
I think that would be an excellent answer choice because if everything you got got hit and you have a replica, you can get right back to business.
There you go. That's right. So if I were you in this situation, I would feel really good about
B. I'm like, okay, I got B. I felt okay about A, but B is definitely better. And now I go into
looking at C and D very skeptically. And that's the type of like mindset you have. Because again,
you are controlling the answer choices. You're not letting the test control you.
So, all right, read C and D for us.
C is automation and D is encryption.
All right. So let's start with D, the easy one. We already said that doesn't help with that availability, right? It doesn't. It helps with confidentiality.
Nice. Nice. Good. So E is totally out. And then let's go back to D, which is automation. Tell
me about that one. C is automation.
I'm sorry. C is automation. I'm sorry.
C is automation.
So tell me about C automation.
C, let's say somebody visits your website, right?
They will automatically get a session ID automatically.
They don't have to ask for one.
They automatically get one.
What we're talking about is the availability of your data.
So that doesn't really affect your availability.
That affects performance, I should say.
Got it.
So I think if I could say this back to you,
maybe what you're saying is automation
is more like a process, right?
Yes, it's very much more of a process.
And in this case, we're looking for
like an actual deployment model,
which B would be.
Yes.
Okay, good.
So let's check the right answer.
Can you check it?
What's the right answer?
It's B.
Nice.
Good work.
Good work.
Good stuff.
Yes, sir.
So I think maybe you felt the difference there, right?
In that multiple choice question, which was a tricky one, we read the question stem.
We asked about, you know,
what details in the question mattered.
We rephrased the question.
We digested it.
And then we tried to predict the right answer,
which helped us,
even if we didn't get the right answer,
it helped us eliminate some answer choices, right?
So that's a good sort of approach
where you feel more control of the question
rather than the question controlling you.
Well, Jaden, I wish you the best of luck on Friday.
You walk in like you own it, because you do, and look forward to having you back to hear how you did.
Okay.
All right. Thank you, Jaden.
Thank you for having me.
So I had mentioned that Jaden is an Urban Alliance intern. So I just want to give a quick word about Urban Alliance and the work that they do.
They work with schools and employers across the greater Washington, D.C. area, Baltimore, Chicago, and Detroit
to address systemic barriers to economic mobility and bridge the gap between education and workforce
for young adults of color.
They're always interested in adding more IT
and cybersecurity partners.
So if you or your organization is interested,
please visit urbanalliance.org backslash contact us.
If you or someone you know is just getting started in IT,
the A-plus Core Series Certifications from CompTIA demonstrate the fundamental knowledge and skills needed for today's IT pros.
N2K just launched an on-demand training course for the A-plus Core 1 exam.
As a certified training partner, rest assured you'll be well-prepped for the exam.
Learn from a top
instructor with years of industry and teaching experience, access robust content that's delivered
in digestible lessons, and test your knowledge with our extensive library of questions and
explanations that cover everything that's on the Core 1 exam. Visit n2k.com slash a dash core dash one to learn more.
Again, that's n2k.com slash a dash four dash one.
Happy studying. That's N2K's Sam Meisenberg.
Cyber threats are evolving every second, Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, Amazon's marketplace is facing a peculiar issue
with product listings evidently created using ChatGPT,
leading to absurd and incorrect descriptions.
A bizarre example includes a dresser named
I'm sorry but I cannot fulfill this request.
It goes against open AI use policy.
Highlighting the misuse of AI in generating product names and descriptions
without proper oversight or proofreading.
This issue extends beyond a single product with various items from
outdoor furniture to hoses carrying similar AI-generated nonsensical names and descriptions.
These listings seem to be the work of resellers using ChatGPT to quickly create product listings,
likely aiming to optimize for search engines. This approach has resulted in listings that are confusing and inaccurate,
raising questions about the effectiveness of Amazon's review process for products in its site.
Amazon has responded by removing these listings and promising to enhance their systems.
The situation reflects broader challenges in Amazon's marketplace,
which has faced criticism for AI-generated
fake reviews, potentially unsafe products, and copyright issues.
The Wall Street Journal previously reported finding thousands of unsafe or deceptively
labeled items on Amazon.
While the use of ChatGPT for product listings presents lower risks compared to unsafe products,
it still signifies a concerning trend in e-commerce.
Vendors are minimally investing in their product listings,
relying on AI automation for content creation.
Amazon, in providing a platform for these vendors,
faces scrutiny for its role in this issue,
especially as the company explores monetizing AI technology
itself. Hey Alexa, come up with a snazzy name for my fancy new dresser.
I'm sorry, Dave. I'm afraid I can't do that.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan and Brandon Karp.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.